The Complete Guide to Outsourcing Managed Security Services

For most enterprises, there are only two security options: outsourcing or waiting around for disaster to strike. With the growing sophistication of hackers, the rapid adoption of new technologies and the ever-increasing complexity of regulatory compliance, almost no one has the internal resources to adequately defend their IT landscape.

But outsourcing managed security services isn’t easy. There are very few providers who can take care of everything, and companies are often forced to work with a large portfolio of security and compliance providers, or outsource certain tasks (such as monitoring and incident response) while keeping others in-house. This can lead to a fragmented security team that can’t respond adequately to threats. Here’s why companies need to look for a complete managed security and compliance solution.

The State of Managed Security Services

Companies are outsourcing managed security services at a rapid pace. The global managed security market is expected to hit $35.8 billion by 2022. Cloud security in particular is skyrocketing, with a compound annual growth rate projected to remain above 19.5% through 2022.

One market driver is the need to combat the growing threat from cyber criminals. Hackers have monetized a wide range of cyber security vulnerabilities in an organized black market economy. Automation techniques like crypting services allow hackers to develop and spread new threats much more quickly — and packaged, all-in-one hacking tools allow almost anyone to mount cyber-attacks.

Accelerated technological adoption is another reason companies are outsourcing managed security services. Organizations are hosting more applications and data in more clouds, which they’re accessing with a greater variety of devices. Many are adopting relatively new technologies like the Internet of Things, or adding data analytics, social media integration and other layers to their landscape. Lacking the internal security expertise to protect such a complex landscape, many companies are partnering with managed cyber security servicesproviders to fill the gaps.

Growing regulatory pressure is another major driver of managed security services outsourcing. Compliance enforcement penalties are increasing and regulatory bodies are enforcing standards more rigorously, warranting greater investment in compliance. But more importantly, the complexity of compliance is skyrocketing.

Modern enterprises need to maintain detailed audit logs of everything, and be able to quickly remediate security and compliance threats. Old methods of compliance involving manually examining records and entering data into spreadsheets won’t cut it anymore — the process is too slow, inefficient, expensive and error-prone. Many companies are realizing GRC software automation is the only way to go, and are employing managed security and compliance teams to modernize or completely run their compliance efforts.

But equally important, the options for outsourcing managed security services have improved. Not that long ago, it was up to the client to piece together multiple security and compliance teams to protect their landscape. Not only did this pose substantial administrative overhead, it also often leads to communication or service gaps between providers, which could weaken security.

The Complete Guide to Outsourcing Managed Security Services

The Consequences of a Security Breach Are Growing

In 2015, the average data breach cost the victim $3.79 million according to the Ponemon institute — a 7.8% increase from the $3.52 million in 2014. Secondary costs of security breaches, such as alienating consumers and harming brand reputation are also growing. A recent survey shows that 78% of Americans and Germans and 85% of UK residents ranked having their financial data stolen as a top concern.

Increasing press coverage of breaches can compound the damage by making it harder to manage public perception in the aftermath. According to the same survey, at least half of those who had been breached learned about it from the media and not the company itself.

And the number of breaches is truly massive. The Ponemon Institute says the likelihood of a breach happening over 24 months is 26% — more than one in four — but breaches may be even more common. Opportunistic data theft often leaves no trace, and companies that aren’t required to disclose rarely do, so the true number is probably much higher. And while the number of breached records fell in 2015, there were still 707.5 million records stolen by hackers. That’s 1,346 every minute.

Outsourcing Managed Security Services Protects Against Elite Hackers

The bigger an organization, the more resources it has. Yet, while security-conscious small businesses can often handle their own internal security successfully, the task is much more difficult for enterprise-level organizations.

There are a few reasons for this. Most obviously, an organization with a large revenue stream makes a more tempting target than a mom and pop store. It has more valuable intellectual property for cyberspies, a much bigger customer database for identity thieves and usually, powerful partners or clients to target in secondary attacks.

Data from enterprises is often a target for state-sponsored hackers, because it can be combined with other hacked data to provide intelligence on powerful government and industry people. For example, the hackersresponsible for the Office Personnel Management (OPM) breach — likely working for the Chinese government — are also believed to be responsible for breaches of both the health insurance provider Anthem and United Airlines.

These are some of the most skilled hackers in the world, with far more resources at their disposal than the hackers who tend to hit small businesses. Very few organizations can provide the level of security and compliance monitoring required to stop such an attack without outsourcing managed security services.

It’s not just that bigger companies attract more bad guys — they’re also inherently more vulnerable. Every user account, application, system and network connection in your organization is part of your attack surface — that is, they’re all things a hacker could try to exploit to compromise your security. A small organization might only use email and a few off-the-shelf apps. Compare that to an enterprise, with dozens of clouds and hundreds of apps, spread across thousands of computers on multiple continents.

And that doesn’t even include the interfaces with your partner. If your company has a 3rd party payment processor or outsources functions like logistics or accounting, your networks are connected. If hackers compromise a partner’s network, they can use that access to invade your network next.

And many of the riskiest systems aren’t even under your control. If your workers are telecommuting, their computers and Internet connections could be vulnerable to a wide range of threats, from unsecured WiFi, to unpatched operating systems to stolen portable devices. In office, it’s not much better. The 3rd party app your sales manager uses to take care of appointments could be a trojan horse. The social media post your front desk manager clicks during lunch or the cleverly disguised email your CEO opens could contain malware that steals their account credentials.

The point is, linear growths in your business lead to exponential growths in attack surface. And when your organization reaches a certain size and complexity, there’s no practical way to handle security internally anymore. Outsourcing managed security services becomes the only option.

Security and compliance aren’t the same, and there’s also a difference between cyber security and internal SAP security. Yet these domains overlap, and can benefit from a shared outsourcing strategy.

Outsourcing managed security services often focuses on protection against external threats. Providers use a combination of perimeter defenses, monitoring, network hardening and other techniques to prevent hackers from gaining access to your landscape and data.

But not every managed security services outsourcing provider will protect you against internal threats. If your landscape isn’t properly configured, your own team can pose risks by accessing restricted data, or even creating false transactions to cover up embezzlement. Protecting against these threats falls under the domain of SAP security services. You’ll need a provider to create strict role-based rules for how users can access and modify data to prevent internal corruption and abuse. These rules should be backed up with monitoring to detect suspicious internal behavior.

Compliance is the regulatory framework that guides SAP security. It requires logging of user access, segregation of duties and other controls. Record and transaction logs need to be available to auditors, who can guide companies in reducing risks and addressing internal security issues.

Successfully outsourcing managed security services doesn’t always require your company to outsource SAP security and compliance. However, you do need to establish a system where all three can work together. Whoever monitors network access needs to be alert to both internal and external threats, and the team that implements internal controls need to work closely with your compliance team to address legal requirements and best practices.

In many cases, outsourcing managed security services, SAP security and SAP compliance together yields the most secure and cost effective results — if you can find a partner with the broad expertise required.

Outsourcing Managed Security Services — the Five Security Levels

Your system has five levels of security :

Physical — Access controls for buildings, data centers, etc.

Network — Restricting access to your network or between areas of your network

Application — Rules controlling what data and apps users can access or change

System Administration — Configuration, monitoring and troubleshooting your system as a whole.

To be successful, your outsourcing managed security services provider needs to address all five levels. Doing that requires a complex, multi-tiered approach.

First, your security needs to be strengthened across all levels. For example, your provider should use network security architecture best practices like hardening to protect against external attacks, and segmentation to protect high security parts of your network from potentially dangerous traffic. Patch management tools and file integrity monitoring provide protection on the OS and Database level. On the SAP level, SAP GRC tools like ControlPanelGRC can enforce good internal security and compliance.

Experience is the most important ingredient in good system administration, but automation tools like ControlPanelGRC Basis Control Suite can reduce the potential for human error and help admins do their jobs more effectively. With the chronic shortage of highly qualified SAP administrators, many companies will benefit from outsourcing SAP Basis support administration along with managed security services.

No matter how strong a fortress is, it still needs guards, armed with effective defensive weapons. Security Information and Event Management (SIEM) and vulnerability management provide 24/7/365 defense of your IT infrastructure.

SIEM detects and responds to threats in real time. Symmetry’s Comprehensive Cyber Security Defense Center logs and monitors system activity for events that could indicate a potential security threat. For example, if a hacker is trying to guess a user’s password, the system will show multiple failed logon attempts. Our incident response team is alerted, quickly investigates and neutralizes the threat.

Vulnerability management provides ongoing strengthening of your infrastructure. Our cyber security servicesteam will scan and review all levels of your system for vulnerabilities that could give a hacker access. Our security professionals will also engage in regular penetration testing — attempting to gain access the way a hacker would — in order to identify and fix any undetected security weaknesses.

This approach integrates cyber security, SAP security and compliance. The client can opt for support in select areas — for example, harnessing an internal compliance team and outsourcing managed security services or vice versa — or choose a complete security and compliance package. We can also provide training, annual compliance reviews and other services to strengthen your own internal controls.

Outsourcing Managed Security Services Should Be a Complete Solution

Symmetry offers the most comprehensive managed security services suite in the industry, hands down. We have an elite team of SAP, security and compliance professionals in-house and a network of industry-leading partners to provide cutting edge tools and continuous monitoring.

Scott Goolik is VP of Compliance and Security Services at Symmetry. A recognized expert in the field of SAP security and compliance, Scott has over 20 years of expertise in SAP security and is a regular presenter at SAP industry tradeshows and ASUG events. His experience includes working for one of the Big Four accounting firms and developing auditing tools, including those for segregation of duties (SOD). Scott is also responsible for architecting the ControlPanelGRC® solution which provides audit automation and acceleration of security and control processes.